On Aug 27, freelance researcher @SandboxEscaper let loose a POC 0-day privilege escalation affecting all versions of Windows.
From what I gather, the vulnerability was not responsibly disclosed. There was some banter on Twitter towards SandboxEscaper…
A few days later, Acros Security, a security research company in Slovenia released an unofficial patch. Eventually, Microsoft released an official patch as part of the September Patch Tuesday on the 10th.
As detailed in VU#906424. A flaw exist due to the way the SchRpcSetSecurity API (which is part of the Windows Task Scheduler), handles the Advanced Local Procedure Call (ALPC) interface. This can be leveraged to overwrite protected system files in which an authenticated user does not have access too.
--> Let’s play with the poc
First, fire up my Windows 10 vm, and make sure I’m a regular low-privileged user
Let’s check the spoolsv.exe service through process explorer. As below, no child process is spawned or running:
Now I open notepad (PID 1988). As below, running as n33dle (low-priv) user:
Now let’s inject this process into spoolsv using the poc exploit:
And there you have it… notepad.exe now running as NT AUTHORITY\SYSTEM as a child process from spoolsv.exe.
--> Mitigation/Remediation
1. Ultimately, patch systems as per CVE-2018-8440 (Microsoft September Security Updates).
2. Not recommended, but you could modify the NTFS ACL on the Tasks directory under C:\windows. Removing the Authenticated Users group and deny system user.
--> icacls c:\windows\tasks /remove:g "Authenticated Users"
--> icacls c:\windows\tasks /deny system:(OI)(CI)(WD,WDAC)
That’s it for now. I’m going to look into the source code and see if I can spawn a SYSTEM command shell. Will need to modify the resource.aps source file, as that is used to compile the DLL which is injected into the spoolsv service.
--> n33dle
No comments:
Post a Comment